Microsoft warns about new attacks using Exchange vulnerabilities

Microsoft had to confirm two new zero-day flaws used in active attacks

Zero-day flaws deemed critical because remote code execution can happen once these get exploited

Microsoft had to confirm two new recently reported zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019. These flaws have been exploited in the wild already.^[1] The company officially disclosed these security flaws with reports^[2] about the Server-Side Request Forgery vulnerability and the remote execution flaw.^[3]

The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.

Microsoft noted that the company is aware of the limited target attacks that use these flaws to get initial access to users' machines. The CVE-2022-41040 vulnerability only can be exploited by the authenticated attackers, so successful exploitation can allow them to trigger the second remote code execution flaw on the machine.

According to the company, Microsoft Exchange Online customers do not need to take any actions right now because these flaws only affect the premises of Microsoft Exchange instances. Microsoft works on an accelerated timeline to release the proper fix as soon as possible. Mitigations and detection guidance tips are provided in the meantime.

Attackers used flaws already in active operations

The particular flaws were reported recently in the news that informed about the ongoing attacks. These zero-day^[4] flaws got changed to the deployment of Chinese Chopper web shells for persistence. The data theft attacks managed to move through the networks of the targeted victims.^[5]

The cybersecurity firm that reported the incident first noted that Chinese threat attackers can be responsible for these attacks and that the group manages these web shells with the Antsword Chinese open-source website admin tool. Also, Microsoft character encoding for simplified Chinese got used.Exploitingf these zero-day vulnerabilities works in stages because one of them is requesting connection and access. The second one uses the link in the PowerShell flaw request to access the component in the backend where the remote code execution can be launched. This is why the flaw is categorized as critical.

The common method of weaponizing flaws

Microsoft notes that these attacks weaponize vulnerabilities to obtain initial access to targeted systems. Even though authenticated access to the vulnerable exchange server is required in these cases to achieve attack goals and successful exploration, these attack methods are common. The two newest zero-day flaws are chained together in the exploit string with the SSRF bug enabling access and remotely triggering the arbitrary code execution.

This is not the first incident with major flaws in the Microsoft Exchange servers. Hive ransomware affiliates exploited such flaws to attack particular organizations before. Attacks involved the exploitation of ProxyShell flaws in the Microsft Exchange Server. These attacks on servers had the goal of deploying malware on the system.

Particular Cobalt Strike malware that acts like a backdoor was employed then, and threat actors could perform network reconnaissance to steal admin account credentials and steal their data from targeted machines.^[6] The file-locker launch was the latest operation, and these threats like ransomware can encrypt the environment once the initial access is gained and for large sums of money. Criminals mainly focus on financial gains, so targets are always large businesses.